Re: apache2: fix the regressions introduced by security upgrade in Bullseye?
On Mon 3 Apr 2023, at 13:27, Harald Dunkel <harri@afaics.de> wrote:
> Hi folks,
>
> AFAIU apache2 2.4.56-1 has been included in Bullseye to mitigate
> CVE-2023-27522 and CVE-2023-25690 (both some mod_proxy issue
> with high severity). Good thing.
>
> Unfortunately this introduced 2 regressions for mod_rewrite and
> http2, see
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
> https://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.4.56-2_changelog
>
> Would it be possible to fix the upgrade? I can turn off http2,
> but I feel *very* bad about running an apache with a broken
> mod_rewrite in production.
>
>
> Thank you very much
>
> Harri
"In Mitre's CVE dictionary: [..] CVE-2023-25690, CVE-2023-27522 [...]
For the stable distribution (bullseye), these problems have been fixed in version 2.4.56-1~deb11u1.
We recommend that you upgrade your apache2 packages."
https://www.debian.org/security/2023/dsa-5376
$ apt policy apache2
apache2:
Installed: 2.4.56-1~deb11u1
Candidate: 2.4.56-1~deb11u1
Version table:
*** 2.4.56-1~deb11u1 500
500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
You will need at least
deb http://security.debian.org/debian-security/ bullseye-security main
in /etc/apt/sources.list if not there already, though I think "contrib" and certainly "non-free" are unnecessary in this particular case.
Best wishes,
Gareth
Reply to: